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Periodic  Embedded  Real 


Automotive  System 

Rate  Monotonic  Scheduling  (RMS) 


Task 

Period 

Engine  control 

10ms 

Airbag 

40ms 

Braking 

40ms 

Cruise  Control 

50ms 

Collision  Detection 

50ms 

Entertainment 

80ms 

Software  Engineering  Institute  Carnegie 


Software 


Domains:  Avionics,  Automotive 
OS:  OSEK,  VxWorks,  RTEMS 
We  call  them  periodic  programs 
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Time-Bounded  Verification  [FMCAD’11  &’14,  VMCAI’13] 


Input:  Periodic  Program 

•  Collection  of  periodic  tasks 

•  Execute  concurrently  with  preemptive  priority-based  scheduling 

•  Priorities  respect  RMS 

•  Communicate  through  shared  memory 

Problem:  Time-Bounded  Verification 

•  Assertion  A  violated  within  X  ms  of  a  system’s  execution  from  initial  state  I? 

•  A,  X  ,  I  are  user  specified 

•  Time  bounds  map  naturally  to  program’s  functionality  (e.g.,  air  bags) 

Solution:  Bounded  Model  Checking 

•  Generate  Verification  Condition  (SMT  Formula  over  Bit-Vectors) 


Use  SMT  Solver  to  check  satisfiability 


Periodic  Program  (PP) 


An  N-task  periodic  program  PP  is  a  set  of  tasks  {x1?  xN} 

A  task  x  is  a  tuple  (/,  T,  P,  C,  A ),  where 
•I  is  a  task  identifier  =  its  priority 

•  T  is  a  task  body  (i.e.,  code) 

•  P  is  a  period 

•  C  is  the  worst-case  execution  time 

•  A  is  the  release  time:  the  time  at  which  task  becomes  first  enabled 
Semantics  of  PP  bounded  by  time  X  =  asynchronous  concurrent  program: 


parallel 
execution 
w/  priorities 


ki  =  0; 

while  <  3i  &&  Wait(Ti,  ki)) 


blocks  x  i 
until  time 

At  +  ki  x  Pt 


X 


Periodic  Program  Example 


Low-Priority  High-Priority 

Task  Task 


Ti  A 

.  M  T2  h 

■lohl 

h  Job2 

of  t2  0  1  2  3  4  5  6  7  8  ofTz 

Ti  =  (1,JV  8, 2, 0),  t2  =  (2 ,J2  =  h,  4, 1, 1) 

Illegal  Execution  -  t1 
preempts  r2 


012345678 


012345678 


012345678 


Legal  Execution  - 
executes  for  2  units 


Another  Legal  Execution 
-  executes  for  1  units 
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Verification  Condition 


Encodes  Purely  Job- 
local  computation. 
Value  Read/Written  by 
each  Shared  Variable 
access  represented  by 
a  fresh  variable. 


Associates  each 
shared  variable  access 
with  a  hierarchical 
Lamport  Clock. 
Constraints  values  of 
Clock  components 
based  on  timing  and 
priority. 


Connects  value  read  at 
each  “Read”  to  the 
value  written  by  most 
recent  write  according 
to  the  Lamport  Clock. 
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Verification  Condition  VC 


seq 


Tl  _Ji _ 

J2  J3 

012345678 


Same  as  verification  condition  for 
sequential  program  except  that  both 
reads  and  writes  are  given  fresh 
variables 


JlO  {  X  :=  X  +  1;  }  - >  x2  =  Xt  +  1 

A 

J2O  { *  :=  *  +  1;  }  - ►  *4  =  *3  +  1 

A 

/3O  {  *  :=  *  +  1;  }  - ►  *6  =  *5  +  1 
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Verification  Condition  VCctk 

Ti  _k _ 

T2  7 2  h 

012345678 

'V*  'V* 

x3  x5 

X±  ^4  *^6 

012345678 


-  VCclk 
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•  7Tj  =  priority  of  job  accessing  xt 

•  71  j  7T2  f)  7T3  *  *  *  7^6  2 

•  =  #0/  jobs  finished  before  xt  accessed 

•  =  i?3  =  1?4  =  0,i?2  =  1,1?5  =  ^6  =  2 

•  it  =  index  of  instruction  accessing  xt  in 

topological  ordering  of  CFG 

•  U  =  t3  =  I5  =  1,  i2  =  44  =  46  =  2 


Observe:  **  is  accessed  before  xj  iff 

7Tj;  if)  TTy, 

where  <  is  lexicographic  ordering 

Claim/Intuition:  This  holds  for  all  legal 
executions,  not  just  this  one. 


Verification  Condition  VC 


obs 


Let  Ji  =  job  in  which  xt  is  accessed 

Compute:  / 1=  /'  if  /  always  completes  before  /'  starts 

Let  Ki  =  ( Ri.Ui ,  ii)  and  for  each  read  xh  let 

Wt  =  {xj\Xj  is  a  write  a  -i (Jt  n.  /y)},  i.e.,  the  set  of  all  writes  that 

xt  “may  observe” 

V^obs 

The  value  of  each  xt  accessed  by  a  read  equals  the  value  of  xj 
such  that  Kj  —  max{Kk\Kk  <  /c,  and  xk  e  Wt},  where  max{ }  — 

initial  value  of  x. 
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Verification  Condition  VC 


obs 


For  each  read  xt  introduce  ic*  =  clock  of  write  action  observed 

VC  obs  = 

A xjEWi  Kj  <  =>  *j  <  *i 


Xi  observes 
initial  value  xInit 
of  x 


xt  observes  xj 


A 


v  (vXjeWt  vc20bs(j))) 


vclbs  =  ( Axjewt  Kj  ^  Ki)  A  (xt  =  xlnit) 
VCObs(f)  =  (Kj  <  Ki  A  Kj  =  Ki)  AXt  =  Xj 


In  the  paper,  we  handle  multiple  shared  variables. 


Software  Engineering  Institute  Carnegie  Mellon  University 
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Handling  Locks 


We  handle  two  types  of  locks  (both  involve  changing  priorities) 

•  Each  thread  has  a  base  priority  =  priority  of  task  it  executes 

•  Each  PCP  lock  l  is  associated  with  priority  n(l ) 

•  A  CPU  lock  is  a  PCP  lock  such  that  n(l)  =  oo 

•  Thread’s  priority  =  max  (its  base  priority,  priorities  of  all  PCP  locks  it  holds) 

Lock  operation  encoded  by  “priority-test-and-set”  action  (J ,  pc,  nt,  Lr,  La) 

•  Guard:  All  held  locks  must  have  priority  less  than  nt 

•  Command:  Locks  in  Lr  are  released;  Locks  in  La  are  acquired 

•  Encode  by  updating  VCctk  and  VCobs  appropriately 

Note:  To  handle  locks,  we  generalize  VC-Gen  to  support  operations  that 
read  and  write  program  state  (in  this  case  held  locks)  atomically 

•  This  will  be  useful  for  snapshotting  (coming  up) 
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Snapshotting:  Problem 


Snapshotting:  Solution 


Atomically  read  and  write  variable  at  the  end  of 
the  job.  Dominates  all  other  access  in  the  job. 


/i(){t:=  *;  if  {t)  x  :=  t  +  1; 

else  x  :=  t  +  2; 
atomic :  x  ••=  x;  } 

/2(){t:=  *;  if  it)  x  :=  t  +  1; 

else  x  :=  t  +  2;  } 


/n()  {  £  :=  *;  If  it)  X:=t+  1; 

else  x  :=  t  +  2;  } 


{  t  :=  if  it)  x2 

else  x3 
x4  :=  x4; } 

{  t  :=  *5;  if  it)  X6 

else  x7 

*8  —  *8*  J 


=  t  +  1) 
;=  t  +  2; 


=  t  +  1; 
;=  t  +  2; 


{  t x4n_3;  if  it)  x4n_2  :: 

else  x4n_i  : 

^  Y  ■  1 

A4n  —  A4n*  j 


t+l; 
:=  t  +  2; 


Now:  Wi  =  W4  =  [x2,  x3},W3  =  Wq  =  xb,  x7},  W 9  =  W yi  —  {xQ,x4Qfx44}, ... 
Result:  VCobs  has  smaller  disjunctions  with  fewer  redundant  sub-formulas 
Empirically:  SMT  solvers  scale  beyond  small  number  of  jobs 
Choice  of  variables  to  snapshot:  (i)  all  variables  (ii)  only  written  by  the  job 
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Verification  Condition  VCobs  with  Snapshotting 


Input:  Snaps(J )  =  set  of  variables  snapshotted  by  / 
Compute:  Relation  /  T  /'  iff  /  can  be  preempted  by  /' 

Let  ,P1=( J,g )  =  maximal  jobs  less  that  /  that  snapshot  g 

Let  'ViU.g)  =  {J’\J  W  a  ^  e  Snaps(j ')} 

Let  v10)  =  {/'l/'=/v/,t/} 

W7,  =  {x;-  |  Xj  is  a  snapshot  A  Jj  e  yV](J.  g)}  U 
[xj  |  Xj  is  a  snapshot  A  Jj  e  Vc(/,  S')}  U 
(xy  |  xj  is  a  write  A  /y  6  fj  (/,  </)} 

rco6s  =  same  as  before  with  the  new  definition  of  above 


— Efficient  Verification  of  Periodic  Programs 

Software  Engineering  Institute  Carnegie  Mellon  University  sagarchaki,  October  24, 2014  ie 

—  *  ©  2014  Carnegie  Mellon  University 


Results  (Time  in  seconds) 


NONE  | 

ALL 

MOD 

REKH 

DKt.bugl:Hl 

33 

9 

7 

IS 

nxt.bug2:Hl 

32 

10 

7 

31 

nxtokl:Hl 

19 

7 

8 

17 

nxl.ok2:H1 

20 

7 

6 

29 

rut.ok3:Hl 

30 

8 

ft 

31 

aso.bugLHl 

29 

9 

9 

34 

aso.bug2:  H  l 

28 

10 

9 

32 

aso.bug3:  H 1 

29 

13 

ii 

80 

aso.bug4:Hi 

32 

17 

9 

66 

aso.ok1:H1 

32 

11 

10 

32 

aso.ok2:HI 

38 

29 

17 

67 

nxt.bug1:H4 

* 

119 

74 

* 

nxt.bug2:H4 

* 

172 

92 

* 

oxLokl:H4 

89 

49 

* 

2GB  Memory  Limit 
60min  Time  Limit 


NONE=No  snapshotting,  ALL=Snapshot  all  variables, 
MOD=Snapshot  only  modified  variables, 
REKH=Previous  tool  based  on  sequentialization 


n  of  Periodic  Programs 

>er  24,  2014 

University 


Results  (Time  in  seconds) 


nxLok2:H4 

|  NONE 

ALL 

MOD 

REKH 

% 

125 

49 

* 

nxLok3:H4 

* 

358 

133 

* 

aso.bugl:H4 

* 

r-j 

GO 

92 

* 

aso.bug2:  H4 

% 

147 

74 

* 

aso.bug3:  H4 

209 

13ft 

* 

aso.bug4:  H4 

* 

329 

152 

* 

aso.ok1:H4 

* 

270 

210 

* 

aso.ok2:H4 

1312 

* 

elm  bug  2 

36 

29 

21 

105 

ctm.bug3 

* 

124 

59 

25S 

ctm.okl 

23 

37 

21 

122 

ctm.ok2 

28 

26 

17 

111 

ctm.ok3 

116 

53 

275 

ctm.ok4 

320 

143 

395 

2GB  Memory  Limit 
60min  Time  Limit 


Softwar 


NONE=No  snapshotting,  ALL=Snapshot  all  variables, 
MOD=Snapshot  only  modified  variables, 
REKH=Previous  tool  based  on  sequentialization 
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Observability  Sizes 


AvgObs(7?) 

|W'(P)| 

nxt.bugl:Hl 

MONB 

ALL 

MOD 

NONE 

ALL 

MOD 

nxt.bug2:Hl 

25.6 

2.9 

2.9 

298 

455 

416 

nxt.okl:Hl 

26.5 

3.1 

3.2 

310 

492 

429 

nxt.ok2:H1 

25.6 

2.9 

2.9 

298 

455 

416 

nxLok3:Hl 

25.4 

3.0 

2.9 

298 

454 

415 

aso.bugl:H1 

aso.bug2:H1 

aso.bug3:Hl 

26.5 

3.1 

3.2 

310 

492 

429 

26.0 

3.6 

3.6 

304 

512 

427 

26.4 

3.7 

3.7 

308 

516 

431 

25.5 

3.6 

3.5 

355 

615 

504 

aso.bug4:H1 

26.5 

4.6 

4.4 

309 

543 

434 

aso.okl:Hl 

27.1 

4.1 

4.2 

311 

519 

434 

aso.ok2:Hl 

26.5 

4.6 

4.4 

311 

545 

436 

nxt.bugl:H4 

99.5 

3.0 

3.0 

1192 

1835 

1676 

nxt.bugZ:  H4 

102.9 

3.1 

3.2 

1240 

1989 

1731 

nxtokl:H4 

99.5 

3.0 

3.0 

1192 

1835 

1676 

AVGOBS(P)  =  avg.  no.  of  reads  observing  each  write  or  snapshot  | 
|  W (P)  |  =  total  no.  of  snapshot  and  write  variables 


grams 
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Observability  Sizes 


AvgObs(P) 

W{P)\ 

none 

ALL 

MOD 

NONE 

ALL 

MOD 

nxt.ok2:H4 

99.3 

3.0 

3.0 

1192 

1834 

1675 

nxLok3:H4 

102.9 

3.1 

3.2 

1240 

1989 

1731 

aso.bugl:H4 

99.9 

3.6 

3.6 

1216 

2072 

1723 

aso.bug2:  H4 

101.6 

3.7 

3.7 

1232 

2088 

1739 

aso.bug3:  H4 

98.3 

3.6 

3.5 

1420 

2490 

2034 

aso.bug4:  H4 

100.4 

4.6 

4.4 

1236 

2199 

1751 

aso.ok1:H4 

103.2 

4.1 

4.2 

1244 

2100 

1751 

aso.ok2:H4 

100.1 

4.6 

4.4 

1244 

2207 

1759 

ctm.bug2 

17.9 

4.1 

4.5 

512 

1052 

683 

ctm.bug3 

26.6 

4.1 

4.5 

768 

1588 

1033 

ctm.okl 

18.6 

4.1 

4.6 

512 

1052 

684 

ctni.ok2 

18.1 

4.1 

4.5 

512 

1052 

683 

ctm.okl 

27.9 

4.1 

4.5 

780 

1600 

1057 

ctm.ok4 

36.4 

4.2 

4.7 

1040 

2140 

1400 

AVGOBS(P)  =  avg.  no.  of  reads  observing  each  write  or  snapshot  | 
|  W (P)  |  =  total  no.  of  snapshot  and  write  variables 


grams 
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Related  Work 


Generate  Verification 
Condition  by  Encoding 
Dataflow  between  Reads 
and  Writes  Using  Lamport 
Clocks 

•  Nishant  Sinha,  Chao 
Wang:  Staged  concurrent 
program  analysis. 
SIGSOFT  FSE  2010:  47- 
56 


Generate  Verification 
Condition  per  Scheduling 
round  using  prophecy 
variables,  and  ensure  that 
output  of  one  round  equals 
input  to  the  next 

•  Akash  Lai,  Thomas  W. 
Reps:  Reducing  Concurrent 
Analysis  Under  a  Context 
Bound  to  Sequential 
Analysis.  CAV  2008:  37-51 


*  Snapshotting  combines  both  ideas 

*  Interplay  between  Logical  Clocks  and  Prophecy  Variables 

•  Both  due  to  Lamport 
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